diff --git a/js/components/security/access/configure-access-modal.html b/js/components/security/access/configure-access-modal.html
index fb966053a..b437d938f 100644
--- a/js/components/security/access/configure-access-modal.html
+++ b/js/components/security/access/configure-access-modal.html
@@ -14,13 +14,18 @@
 										    readRoleOptions: readRoleOptions,
 										    readRoleSearch: readRoleSearch,
 		                                                                    writeRoleOptions: writeRoleOptions,
-										    writeRoleSearch: writeRoleSearch
+										    writeRoleSearch: writeRoleSearch,
+                                                                                    shareFlag: shareFlag,
+		                                                                    grantGlobalReadAccess: grantGlobalReadAccess,
+                                                                                    revokeGlobalReadAccess: revokeGlobalReadAccess,
 										 }">
     <loading data-bind="css: classes('loading-panel'), visible: isLoading()" params="status: ko.i18n('common.configureAccessModal.loadingAccessList', 'Loading access list...')"></loading>
+
+    
     <div data-bind="css: classes()">
         <div data-bind="if: !isLoading()">
             <div data-bind="css: classes('new-access')">
-                <label data-bind="css: classes('new-access-label'), text: ko.i18n('common.configureAccessModal.addWriteAccessToRole', 'Add WRITE access to role:')"></label>
+                <label data-bind="css: classes('new-access-label'), text: ko.i18n('common.configureAccessModal.addWriteAccessToRole', 'Grant WRITE access to role:')"></label>
                 <div class="input-group"
                      data-bind="css: classes({ element: 'new-access-btn-group', extra: ['new-access-btn-group'] })">
                     <input
@@ -48,8 +53,10 @@
                     </div>
                 </div>
 	    </div>
+
+	    <div>	   	
 	    <div data-bind="css: classes('new-access')">
-		<label data-bind="css: classes('new-access-label'), text: ko.i18n('common.configureAccessModal.addReadAccessToRole', 'Add READ access to role:')"></label>
+		<label data-bind="css: classes('new-access-label'), text: ko.i18n('common.configureAccessModal.addReadAccessToRole', 'Grant READ access to role:')"></label>
                 <div class="input-group"
                      data-bind="css: classes({ element: 'new-access-btn-group', extra: ['new-access-btn-group'] })">
                     <input
@@ -77,6 +84,33 @@
                     </div>
 		</div>
 	    </div>
+
+	    
+	    <div><br></div>
+	    <!-- A BUTTON TO SHARE GLOBALLY -->
+	    <div>
+		<label data-bind="css: classes('new-access-label'), text: ko.i18n('common.configureAccessModal.globalReadStatus', 'Status of global READ access:')"></label>
+		<div/>
+		<div class="btn-group" data-toggle="buttons">
+		    <label data-bind="css: { active: shareFlag()},
+				      click: function () { shareFlag(false); grantGlobalReadAccess();},
+				      clickBubble: false,
+				      text: ko.i18n('common.configureAccessModal.globalReadStatusNotGranted', 'Granted')
+				      "
+			   class="btn btn-primary",		   
+		    />
+		    <label data-bind="css: { active: !shareFlag()}, 
+				      click: function () { shareFlag(true); revokeGlobalReadAccess();},
+				      clickBubble: false,
+				      text: ko.i18n('common.configureAccessModal.globalReadStatusIsGranted', 'Not Granted')
+				      " 
+			   class="btn btn-primary",		   		   
+		    />
+		</div>	
+	    </div>
+
+	    <div><br></div>
+	    
         </div>
     </div>
 </atlas-modal>
diff --git a/js/components/security/access/configure-access-modal.js b/js/components/security/access/configure-access-modal.js
index 61efbe232..3f8a950f7 100644
--- a/js/components/security/access/configure-access-modal.js
+++ b/js/components/security/access/configure-access-modal.js
@@ -1,6 +1,6 @@
 define([
 	'knockout',
-	'text!./configure-access-modal.html',
+        'text!./configure-access-modal.html',
 	'components/Component',
 	'utils/CommonUtils',
 	'utils/AutoBind',
@@ -8,7 +8,7 @@ define([
 	'databindings',
 ], function (
 	ko,
-	view,
+        view,
 	Component,
 	commonUtils,
 	AutoBind
@@ -34,6 +34,8 @@ define([
 			this.readRoleSearch = ko.observable();
 			this.readRoleSearch.subscribe(str => this.loadReadRoleSuggestions(str));
 
+		        this.shareFlag = ko.observable(true);
+		    
 			this.isOwnerFn = params.isOwnerFn;
 			this.grantAccessFn = params.grantAccessFn;
 			this.loadAccessListFn = params.loadAccessListFn;
@@ -109,7 +111,14 @@ define([
 			} catch (ex) {
 				console.log(ex);
 			}
-			this.isLoading(false);
+		       this.isLoading(false);
+
+		       // update shareFlag depending on if the shared artifacts reader role is in readAccessList
+		       function testForGlobalRead(value, index, array) {
+			   return value.id === 1; // the 'public' role that every use should have
+		       }
+		       let tst = this.readAccessList().some(testForGlobalRead);
+		       this.shareFlag(tst);
 		}
 
 		async grantAccess(perm_type) {
@@ -124,7 +133,6 @@ define([
 				   const role = this.readRoleSuggestions().find(r => r.name === this.readRoleName());
 			   	   await this.grantAccessFn(role.id,'READ');
 				   await this._loadReadAccessList();
-				   this.readRoleName('');
 			       }
 			} catch (ex) {
 				console.log(ex);
@@ -142,6 +150,31 @@ define([
 			}
 			this.isLoading(false);
 		}
+
+
+  	        async grantGlobalReadAccess() {
+		    this.isLoading(true);
+		    try {
+			console.log('grantGlobalReadAccess  function  called to grant read permissions!! shareflag: ' + this.shareFlag());
+			await this.grantAccessFn('1','READ'); // 1 is the 'public' role, a SYSTEM role every user should have
+			await this.loadAccessList();
+		    } catch (ex) {
+			console.log(ex);
+		    }
+		    this.isLoading(false);
+		}
+
+  	        async revokeGlobalReadAccess() {	    
+		    this.isLoading(true);
+		    try {
+			console.log('revokeGlobalReadAccess  function  called to REVOKE read permissions!! shareflag: ' + this.shareFlag());
+			await this.revokeAccessFn('1','READ'); // 1 is the 'public' role, a SYSTEM role every user should have
+			await this.loadAccessList();
+		    } catch (ex) {
+			console.log(ex);
+		    }
+		    this.isLoading(false);
+		}
 	}
 
 	return commonUtils.build('configure-access-modal', ConfigureAccessModal, view);
diff --git a/js/pages/cohort-definitions/cohort-definition-manager.html b/js/pages/cohort-definitions/cohort-definition-manager.html
index 2665a0ca7..86ddfba6b 100644
--- a/js/pages/cohort-definitions/cohort-definition-manager.html
+++ b/js/pages/cohort-definitions/cohort-definition-manager.html
@@ -33,7 +33,7 @@
 					<button class="btn btn-primary"
 						data-bind="visible: !previewVersion(), title: ko.i18n('cohortDefinitions.cohortDefinitionManager.getLinkCohortTitle', 'Get a link to this cohort definition'), enable: !dirtyFlag().isDirty() && !isProcessing(), click: function () { $component.cohortLinkModalOpened(true) }"><i class="fa fa-link"></i></button>
 
-					<!-- ko if: enablePermissionManagement -->
+					<!-- ko if: (enablePermissionManagement() === true && userCanShare() === true) -->
 					<button class="btn btn-primary"
 						data-bind="title: ko.i18n('common.configureAccess', 'Configure access'), visible: isOwner() && !previewVersion(), click: () => isAccessModalShown(!isAccessModalShown())">
 						<i class="fa fa-lock"></i>
@@ -77,20 +77,14 @@
 			</li>
 
 			<li role="presentation"
-				data-bind="visible: !previewVersion(), css: { active: $component.tabMode() == 'samples' }, click: clickSampleTab">
-				<a data-bind="text: ko.i18n('cohortDefinitions.cohortDefinitionManager.tabs.samples', 'Samples')"></a>
+			    data-bind="visible: !previewVersion(), css: { active: $component.tabMode() == 'samples' }, click: clickSampleTab">
+			    <a data-bind="text: ko.i18n('cohortDefinitions.cohortDefinitionManager.tabs.samples', 'Samples')"></a>
 			</li>
 
 			<li role="presentation"
 				data-bind="visible: !previewVersion(), css: { active: $component.tabMode() == 'reporting' }, click: function() { $component.selectTab('reporting'); }">
 				<a data-bind="text: ko.i18n('cohortDefinitions.cohortDefinitionManager.tabs.reporting', 'Reporting')"></a>
 			</li>
-			<!--
-			<li role="presentation"
-				data-bind="visible: !previewVersion(), css: { active: $component.tabMode() == 'explore' }, click: function() { $component.selectTab('explore'); }">
-				<a data-bind="text: ko.i18n('cohortDefinitions.cohortDefinitionManager.tabs.explore', 'Explore')"></a>
-			</li>
-			-->
 			<li role="presentation"
 				data-bind="visible: !previewVersion(), css: { active: $component.tabMode() == 'export' }, click: () => { $component.selectTab('export'); refreshPrintFriendly(); }">
 				<a data-bind="text: ko.i18n('cohortDefinitions.cohortDefinitionManager.tabs.export', 'Export')"></a>
diff --git a/js/pages/cohort-definitions/cohort-definition-manager.js b/js/pages/cohort-definitions/cohort-definition-manager.js
index 99f13fdc5..895a3b80b 100644
--- a/js/pages/cohort-definitions/cohort-definition-manager.js
+++ b/js/pages/cohort-definitions/cohort-definition-manager.js
@@ -58,7 +58,7 @@ define(['jquery', 'knockout', 'text!./cohort-definition-manager.html',
 	'utilities/sql',
 	'components/conceptset/conceptset-list',
 	'components/name-validation',
-	'components/versions/versions'
+	'components/versions/versions',
 ], function (
 	$,
 	ko,
@@ -99,7 +99,7 @@ define(['jquery', 'knockout', 'text!./cohort-definition-manager.html',
 	globalConstants,
 	constants,
 	{ entityType },
-	conceptSetUtils,
+        conceptSetUtils,
 ) {
 	const includeKeys = ["UseEventEnd"];
 	function pruneJSON(key, value) {
@@ -198,7 +198,16 @@ define(['jquery', 'knockout', 'text!./cohort-definition-manager.html',
 			this.pollTimeoutId = null;
 			this.authApi = authApi;
 			this.config = config;
-			this.enablePermissionManagement = config.enablePermissionManagement;	    
+
+			this.enablePermissionManagement = ko.observable(config.enablePermissionManagement);
+			if (config.enablePermissionManagement) {
+				this.userCanShare = ko.observable(
+						!config.limitedPermissionManagement ||
+						authApi.isPermittedGlobalShareArtifact());
+			} else {
+				this.userCanShare = ko.observable(false);
+			}
+		    
 			this.relatedSourcecodesOptions = globalConstants.relatedSourcecodesOptions;
 			this.commonUtils = commonUtils;
 			this.isLoading = ko.observable(false);
@@ -914,7 +923,7 @@ define(['jquery', 'knockout', 'text!./cohort-definition-manager.html',
 		}
 
 		// METHODS
-
+	    
 		startPolling(cd, source) {
 			this.pollId = PollService.add({
 				callback: () => this.queryHeraclesJob(cd, source),
diff --git a/js/pages/concept-sets/conceptset-manager.html b/js/pages/concept-sets/conceptset-manager.html
index a1643e25a..4ff046c19 100644
--- a/js/pages/concept-sets/conceptset-manager.html
+++ b/js/pages/concept-sets/conceptset-manager.html
@@ -27,7 +27,7 @@
         <button type="button" class="btn btn-primary" data-bind="click: () => isTagsModalShown(!isTagsModalShown()), visible: canEdit() && !previewVersion(), css: { disabled: isProcessing() }, title: ko.i18n('common.tags', 'Tags')"><i class="fa fa-tags"></i></button>
         <button type="button" class="btn btn-primary" data-bind="visible: !previewVersion(), click: optimize, css: { disabled: !canOptimize() || isProcessing() }, text: ko.i18n('cs.manager.optimize', 'Optimize')"></button>
 
-	<!-- ko if: enablePermissionManagement -->
+	<!-- ko if: (enablePermissionManagement() === true && userCanShare() === true)  -->
         <button class="btn btn-primary" data-bind="visible: !previewVersion() && isOwner(), click: () => isAccessModalShown(!isAccessModalShown()), title: ko.i18n('common.configureAccess', 'Configure access')">
             <i class="fa fa-lock"></i>
         </button>
diff --git a/js/pages/concept-sets/conceptset-manager.js b/js/pages/concept-sets/conceptset-manager.js
index 7402046ed..6fb3f5aab 100644
--- a/js/pages/concept-sets/conceptset-manager.js
+++ b/js/pages/concept-sets/conceptset-manager.js
@@ -174,7 +174,16 @@ define([
 			this.canCopy = ko.computed(() => {
 				return this.currentConceptSet() && this.currentConceptSet().id > 0;
 			});
-			this.enablePermissionManagement = config.enablePermissionManagement;	    
+
+			this.enablePermissionManagement = ko.observable(config.enablePermissionManagement);
+			if (config.enablePermissionManagement) {
+				this.userCanShare = ko.observable(
+						!config.limitedPermissionManagement ||
+						authApi.isPermittedGlobalShareArtifact());
+			} else {
+				this.userCanShare = ko.observable(false);
+			}
+
 			this.isSaving = ko.observable(false);
 			this.isDeleting = ko.observable(false);
 			this.isOptimizing = ko.observable(false);
diff --git a/js/services/AuthAPI.js b/js/services/AuthAPI.js
index cd88bbb32..312ac890f 100644
--- a/js/services/AuthAPI.js
+++ b/js/services/AuthAPI.js
@@ -395,6 +395,12 @@ define(function(require, exports) {
         return isPermitted('cohortdefinition:' + id + ':copy:get');
     }
 
+    var isPermittedGlobalShareArtifact = function() {
+        // special * permission (intended for admins) that allows the
+        // user to share any artifact with a "global reader role":
+        return isPermitted('artifact:global:share:put');
+    }
+
     var isPermittedUpdateCohort = function(id) {
         var permission = 'cohortdefinition:' + id + ':put';
         return isPermitted(permission);
@@ -407,8 +413,18 @@ define(function(require, exports) {
     }
 
     var isPermittedGenerateCohort = function(cohortId, sourceKey) {
-        return isPermitted('cohortdefinition:' + cohortId + ':generate:' + sourceKey + ':get') &&
+        var v = isPermitted('cohortdefinition:' + cohortId + ':generate:' + sourceKey + ':get') &&
             isPermitted('cohortdefinition:' + cohortId + ':info:get');
+
+        // By default, everyone can generate any artifact they have
+        // permission to read. If limitedPermissionManagement has
+        // been set to true, the default
+        // generate functionality is not desired. Rather, users will have to
+        // have a permission that allows them to update the specific cohort definition. 
+        if (config.limitedPermissionManagement){
+            v = v && isPermitted('cohortdefinition:' + cohortId + ':put')
+        }
+        return v
     }
 
     var isPermittedReadCohortReport = function(cohortId, sourceKey) {
@@ -576,6 +592,7 @@ define(function(require, exports) {
         isPermittedReadCohort: isPermittedReadCohort,
         isPermittedCreateCohort: isPermittedCreateCohort,
         isPermittedCopyCohort: isPermittedCopyCohort,
+        isPermittedGlobalShareArtifact: isPermittedGlobalShareArtifact,
         isPermittedUpdateCohort: isPermittedUpdateCohort,
         isPermittedDeleteCohort: isPermittedDeleteCohort,
         isPermittedGenerateCohort: isPermittedGenerateCohort,